SYSTEM POST-IMPLEMENTATION REVIEW AUDIT WORK PROGRAM This audit program is designed to assess the usage, supporting information technology processes, and infrastructure for [System]. Additionally, this document will assist with limited testing of the system and its interface operational effectiveness. OBJECTIVES • Confirm the company’s current resource utilization with key users to verify that it is meeting the intended business needs, to identify potential improvement opportunities, and to validate key areas of risk/concern. • Verify that access to the application is appropriately restricted, that only authorized personnel have physical access to the resources on which the application resides, and that users are aware of their responsibilities. • Verify that data processing and interface utilization procedures help ensure the continued integrity of the data utilized by the application. Additionally, verify that resources required by the application are readily available. • Verify that the ability to make changes to company and/or supporting infrastructure is appropriately restricted and that modifications follow defined change control procedures. • Verify that the company has appropriately incorporated data backup, business continuity and disaster recovery procedures. IN-SCOPE ENTITIES • Name • Name • Name KEY CONTACTS THE SYSTEM • Name • Name • Name • Name THE SYSTEM • Name • Name • Name • Name THE SYSTEM • Name • Name • Name 1 Source: www.knowledgeleader.com • Name INTERNAL AUDITOR • Name • Name • Name • Name TIMING: • Hours allocated: # • Fieldwork will commence the week of Date and will conclude the week of Date. • A report will be issued for management action plan responses no later than Date. • Audit report findings will be presented to the audit committee during the Date meeting. General and/or Administrative • Meet with key contacts to gain a high-level understanding of the process and discuss audit objectives. • Prepare/finalize the audit work program and timing. • Conduct detailed planning and schedule meetings. • Execute audit procedures. • Perform quality assurance and quality control activities. • Prepare final deliverables. • Perform follow-up, contingency and other administrative tasks. Audit Procedures Objective A: Confirm the company’s current system utilization with key users to verify that it is meeting the intended business needs, to identify potential improvement opportunities, and to validate key areas of risk/concern. Procedures: 2 • Identify the intended business goals for the system along with any applicable metrics being utilized to monitor business activities. • Identify key system users at each of the in-scope facilities. • Conduct information-gathering interview(s) with a selected sample of users to gain a baseline understanding of their current utilization of the system. • Identify instances in which the system is not currently being used as intended. • Conduct discussions with key users to identify potential improvement opportunities based on desired enhancements and efficiency/utilization concerns and to compare alignment with intended business goals. • Identify potential areas of risk/concern based on the usage of the system outside or deficient of the intended business need. Source: www.knowledgeleader.com Objective B: Verify that access to the system is appropriately restricted, that only authorized personnel have physical access to the resources on which the system resides, and that users are aware of their responsibilities. Procedures – Logical Access to Resources: • Identify individuals with security administration responsibilities over the system. • Through discussions with the identified individuals, identify the process by which access to the system is managed. Ensure that access set up and modification is appropriately authorized, terminations are performed in a timely manner, and rights are periodically reviewed for appropriateness. • Determine the ability of users to access the system remotely and ensure that access is appropriately restricted to authorized personnel. • Obtain documentation of specific password parameters utilized for both network and application access. Determine whether parameters appropriately prevent unauthorized access to the system. • Obtain a list of current users and validate, on a sample basis, appropriateness with select departmental leadership at each sampled facility. Procedures – Physical Access to Resources: • Determine the location of key system technology infrastructure and verify that access is limited to authorized personnel. • Confirm that a formal process is in place for managing access rights for the identified location. Procedures – User Awareness of Responsibilities: • Identify training, education and awareness initiatives in place to ensure that users are aware of their responsibilities and to safeguard access to the application as well as standards for its acceptable use. Objective C: Verify that data processing and interface utilization procedures help ensure the continued integrity of the data utilized by the application. Additionally, verify that resources required by the application are readily available. Procedures: • Identify individuals with responsibilities over the system for managing data processing and interface resources. • Through discussions with the identified individuals, identify the method(s) by which data is processed, manipulated, and/or transferred to and received from other systems. Evaluate each of the following, to the extent applicable, for reasonableness: − User access to batch processing interfaces. − Error detection reporting capabilities (e.g., transaction rollback) and review procedures. − Performance of data integrity checks. 3 • Perform limited testing, on a sample basis, of system and interface operational effectiveness. • Review methods used to monitor system performance and availability to ensure that resources required by the application are readily available. Additionally, determine consistency with established service-level agreements (as applicable). • Identify the support processes (e.g., help desk function) for exception handling and error reporting to ensure that issues are resolved in a timely manner. Source: www.knowledgeleader.com Objective D: Verify that the ability to make changes to the system and/or supporting infrastructure is appropriately restricted and that modifications follow defined change control procedures. Procedures: • Identify individuals with change control responsibilities over the system. • Through discussions with the identified individuals, request and obtain existing change control documentation and identify the process(es) in place for the following: − Identifying and approving necessary changes. − Prioritizing changes. − Quality assurance testing (e.g., user-acceptance testing). − Segregation of duties (e.g., developer access to production). − Reconciling documented changes with those implemented. − Emergency procedures (e.g., retro-approval process). − Rollback procedures. − End-user involvement and communication. Objective E: Verify that the system has been appropriately incorporated into existing data backup, business continuity and disaster recovery procedures. Procedures: • Identify individuals with data backup, business continuity and disaster recovery responsibilities over the system. • Through discussions with the identified individuals, determine the coverage of existing data backup procedures to ensure that the system is appropriately addressed in the following areas: − Identification of critical data. − Backup schedule (including types of backups performed). − Rotation schedule. − Critical recovery timeframes. − Data gap analysis (i.e., how much data was “lost” since the last backup). − Data integrity validation (e.g., mock restores, etc.). • Confirm the location in which data backups are stored to ensure that access is restricted to authorized personnel (both physically and logically) and that data backup sets are appropriately protected. • Identify training, education and awareness initiatives in place to ensure that users assigned to data backup tasks are aware of their responsibilities. • Identify environmental controls in place to safeguard the location of key system technology infrastructure. • Determine the extent to which formal business continuity and/or disaster recovery processes exist and ensure that coverage has been updated to address business needs. Evaluate the following for reasonableness: − The existence of formal process(es) and the extent to which the system is addressed. − The system’s ability to recover critical application resources. − Third-party/vendor arrangements. − Periodic testing/employee awareness. 4 Source: www.knowledgeleader.com